The Cisco® CRS Carrier Routing System offers industry-leading performance, advanced services intelligence, environmentally conscious design, and system longevity. The Cisco CRS is powered by an advanced chipset architecture and Cisco IOS® XR Software, a unique self-healing, distributed operating system.
Packet-based data communications is being replaced by video and multimedia traffic traversing the IP Next-Generation Network (NGN) in multiple directions, straining the architectural foundations of both public and private networks serving businesses and consumers. As part of the medianet, a media-aware Cisco IP NGN, the Cisco CRS delivers continuous, always-on operations and scales easily from numerous single-chassis form factors to a massive multichassis system. Its design provides industry-leading efficiency, consuming among the least amount of power, cooling, and rack-space resources for a bandwidth capacity that supports intelligent, comprehensive services. The Cisco CRS-3 platform builds on the Cisco CRS-1 platform; it is backward and forward compatible to protect existing and future investments for decades to come.
This data sheet provides detailed product specifications for the Cisco Carrier-Grade Services Engine (CGSE) for the Cisco CRS (Figure 1).
The Cisco CGSE is an integrated multi-CPU service module offering carrier-class performance and scale in support of the Cisco Carrier-Grade IPv6 (CGv6) Solution and distributed-denial-of-service (DDoS) mitigation solution. The Cisco CGSE is a single-slot module supported on all models of Cisco's proven high-end carrier-class routing system: the Cisco CRS-1 and CRS-3 platforms. The Cisco CGv6 Solution, running on one or more Cisco CGSE modules inside a Cisco CRS, can scale to tens of millions of IP address translations with tens of gigabits of performance to address IPv4 depletion and enable IPv6 transition. Several modules can be populated within a chassis for a high-performance solution that can be deployed at places in the network where the best Cisco CGv6 coverage can be obtained.
Cisco has licensed the Arbor Peakflow Service Provider (SP) Threat Management System (TMS) from Arbor Networks to provide DDoS mitigation capabilities on the CRS, enabling service providers to offer the following:
• Managed DDoS mitigation services to enterprise clients
• Protection of the network backbone and services offered by the service provider against attacks originating from both the outside and the inside of the service provider network
This data sheet provides detailed product specifications for the Cisco CGSE module and details about the DDoS mitigation software available on the Cisco CGSE.
The Cisco CGSE supports a highly available architecture with line-rate accounting and logging of translation information. The Cisco IOS XR Software on the platform offers a flexible means to divert selected packets through the Cisco CGSE while enabling global IPv4 and IPv6 packets to traverse the Cisco CRS forwarding infrastructure as usual.
Figure 1. Cisco CRS Carrier Grade Service Engine
Powerful Performance
The Cisco CGSE housed inside a Cisco CRS offers carrier-class performance for Cisco CGv6 services:
• More than one million connection setups per second for stateful IPv4 and IPv6 Network Address Translation (NAT)
• Real-time off-device logging of NAT translation states using Cisco NetFlow 9
• Line-rate forwarding for IPv4 and IPv6
The powerful performance of the Cisco CGSE, as discussed previously, helps ensure that the end-user experience continues to be optimal for all services.
Cisco CGSE DDoS Mitigation Software
The Arbor Peakflow SP TMS software has been ported to the Cisco CGSE module to provide DDoS mitigation. The Arbor Peakflow SP Collector Platform appliance monitors the network, performing an analysis of traffic in real time to detect a comprehensive set of DDoS attack signatures. Upon detecting an attack, it redirects traffic to the threat management system on the Cisco CGSE module, or a bank of Cisco CGSE modules, on the Cisco CRS, where the attack is surgically mitigated, and clean traffic is reinjected into the network. Figure 2 illustrates the DDoS mitigation mechanism.
Figure 2. Cisco CGSE DDoS Mitigation
The main capabilities of the Cisco CGSE DDoS mitigation solution are as follows:
• Throughput: Up to 10 Gbps of DDoS mitigation capability is provided per Cisco CGSE module.
• Scalability: Up to 120 Gbps (12 Cisco CGSE modules), 60 Gbps (6 Cisco CGSE modules), and 30 Gbps (3 Cisco CGSE modules) are provided per Cisco CRS 16-slot, 8-slot, and 4-slot chassis, respectively.
• Load balancing: Attack traffic can be load-balanced across multiple Cisco CRS routers with Cisco CGSE modules, or across multiple Cisco CGSE modules within a Cisco CRS. Additionally, the multi-CPU architecture of the Cisco CGSE module allows DDoS attack flows from multiple sources to be handled simultaneously, enabling greater mitigation performance.
• Multiple configuration options: Traffic redirection and reinjection can be accomplished by IP redirect, using Layer 3 VPN (L3VPN) or generic routing encapsulation (GRE) tunnels.
• Flexible deployment scenarios: Implement distributed deployment across multiple peering and provider-edge sites to offer mitigation at the point closest to the attack, or centralized deployment with a "scrubbing center" model using a cluster of Cisco CGSE modules in one more Cisco CRS routers.
• Comprehensive DDoS mitigation capabilities: The solution addresses the full set of DDoS attack types and includes IPv6 support and an optional Atlas Fingerprints subscription to stay current with the latest attack signatures. For more information, please refer to the Arbor SP Peakflow TMS datasheet.
Massive Scalability
As an increasing multitude of subscribers with their numerous applications traverse the network, the Cisco CGSE scales to support this growth:
• Up to 20 million stateful NAT translations per Cisco CGSE module
• Support for tens to hundreds of thousands of private IPv4 subscribers accessing the public IPv4 Internet
• Support for tens to hundreds of thousands of IPv6 subscribers accessing the IPv4 Internet
• Capability to add multiple Cisco CGSE modules in a chassis, increasing performance linearly
Integrated Services
The Cisco CGSE module is designed for the proven high-end routing platform of the Cisco CRS. It is supported on all the form factors of the Cisco CRS-1 and CRS-3: 4-, 8-, and 16-slot and multichassis versions. This breadth of deployment options allows service providers to scale the Cisco CGSE to their appropriate needs. Also, the Cisco CGSE is integrated with the routing intelligence of the Cisco CRS, providing the significant operation efficiencies of a single OS. Because the Cisco CRS platform supports secure domain routers (SDRs), providers have the flexibility to integrate the Cisco CGSE on a virtualized network infrastructure.
The following services are available on the Cisco CGSE (Figure 3):
• Full IPv4 and IPv6 routing and forwarding on the Cisco CRS platform
• Service provider-class NAT44 to address IPv4 depletion based on IETF NAT behaviors as described in RFCs 4787, 5382, and 5508
• IPv6 Rapid Deployment Border Relay (6rd BR, described in RFC 5969)
• Stateful and stateless IPv4 and IPv6 translation based on IETF BEHAVE specifications
• Service provider-class NAT64 translations based on IETF NAT behavior as described in RFC 6146
• Service provider-class Dual-Stack Lite (DSLite) translations based on existing IETF behavior as described in RFCs 6333 and 6334
• Network Positioning System (NPS)
The Cisco CGSE interface module on the Cisco CRS offers service providers a near-term solution to address IPv4 depletion and preserve a service provider's present mode of operation (PMO). At the same time, it enables one or more methods to offer a low-risk, cost-effective means to activate IPv6 tunneling and translation functions.
For more information about the Cisco CRS or about other interfaces available for the Cisco CRS, visit www.cisco.com/go/crs.
Figure 3. Cisco CGv6 Solution
Product Specifications
Table 1 lists the specifications of the Cisco CGSE.
Table 1. Product Specifications
Feature
Description
Chassis compatibility
Compatible with all current Cisco CRS-1 and CRS-3 line-card chassis
Forwarding-engine compatibility
Compatible with the following forwarding engines: CRS-MSC-40G-B, CRS-MSC-20G-B, and CRS-MSC
Software compatibility
Cisco IOS XR Software Release 3.9.1
Protocols
• NAT44 (RFCs 4787, 5382, and 5508)
• NAT64 (RFC 6146 )
• DSLite AFTR (RFC 6334 )
• Cisco NetFlowv9
• Port Control Protocol
Feature summary
• Stateful IPv4 NAT (NAT44)
• Stateful IPv6 to v4 NAT (NAT64)
• Stateless IPv6 to v4 NAT (NAT64 SL)
• Stateful DSLite translation AFTR function
• 6rd BR
Performance
• 20 Gbps of throughput
• Maximum number of physical layer interface modules (PLIMs) per chassis: 4 slots: 3; 8 slots: 7; and 16 slots: 12
Reliability and availability
• Online insertion and removal (OIR) without affecting system traffic
Cisco delivers innovative services programs through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services helps you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, contact your local Cisco representative or visit www.cisco.com.
For More Information
For more information about the Cisco CRS Carrier-Grade Services Engine PLIM, contact your local Cisco representative or visit www.cisco.com/go/crs.
